CAASM: Dead-End Approach or Worthwhile Journey?

Cyber Asset Attack Surface Management (CAASM) is focused on enabling security teams to overcome asset visibility. Asset visibility is foundational to security programs  — knowing what assets exist in their environment and where those assets reside. CAASM provides a holistic view of an organization’s asset inventory by consolidating internal and external asset data.

However, the current approach to Cyber Asset Attack Surface Management (CAASM) is fast becoming obsolete. Recent Gartner reports suggest that CAASM tools that offer limited capabilities beyond asset management and consolidation are likely going to be obsolete in the near future.

How do organizations use CAASM today?

Security and IT leaders invest in CAASM solutions to solve one pressing issue: consolidating and gaining visibility into all internal assets. Over the last few years, new technologies—cloud, containers, APIs, IOT, OT—introduced a slew of assets to manage. The initial response to this complexity was the development of CAASM, designed to consolidate and manage these diverse assets into a single, cohesive view.

The most frequently asked questions by IT and security leaders from their CAASM are:
#How many assets do we own?
#Do we have security control gaps?
#How are these assets distributed among various business units?
#Are these assets compliant with local and global compliance policies?

CAASM tools import asset information from existing security and IT tools via API connectors. The data is then deduplicated, normalized, and correlated to provide a clean asset inventory.

The obstacles for CAASM

Existing CAASM solutions have several architectural limitations that will hamper their ability to expand to security use cases at scale. These include:

Absence of native assessment: Most CAASM solutions do not offer native assessment and discovery capabilities. Thus, assets and applications managed by custom and homegrown tools that do not provide standard APIs are left out.

Poor data quality: Although CAASM aims to improve asset visibility by consolidating data, it does not address poor data quality and granularity, i.e., providing visibility into vulnerabilities, exposures, and SBOMs associated with an asset. This requires collaboration with system owners to extract additional data from their systems.

Lack of native security data models: Many CAASM vendors weren’t built for security. They struggle to ingest and normalize security events across different environments into a unified data model, which leads to data reconciliation challenges and difficult-to-resolve conflicts with source systems.

Limited actionability: CAASM vendors often provide limited response actions to identified security issues, such as the presence of CVEs. It addresses them by merely opening tickets or running scripts, which impacts the mobilization and fixing of CVEs. Additionally, CAASM tools face challenges in extremely large environments with millions of assets and vulnerability instances, limiting their usability.

Conflicts with VM tools: Even though some CAASM tools may claim to gather large volumes of vulnerability and exposure data, they must demonstrate integration with VM tools and processes. Without proper integration, the already overwhelmed vulnerability management processes may suffer from ineffective prioritization, potentially leading to inaccurate findings.

What should CISOs do?

Given tight budgets and finite resources, CISOs should think twice about investing in pure-play CAASM technologies. Notably, recent Gartner reports indicate that the future of CAASM lies in providing exposure management. The key driver for this is an overwhelming volume of vulnerabilities. In 2024 alone, vulnerability management teams will need to analyze 30,000+ CVEs. Additionally, if you consider non-CVEs such as misconfigurations, EOL systems, and application risk findings, security teams must analyze 100,000+ CVEs and non-CVEs or exposures. For large organizations, this impacts millions of assets.

Exposure management platforms such as Balbix already have all the CAASM features, including the missing capabilities mentioned above, plus more. This includes:

Exposure assessment: This baseline functionality aggregates data from all your attack surfaces: internal, external, cloud, digital, and users – essentially all of CAASM functionality. Further, it includes native assessment capabilities to bring CVE and non-CVE data from software, applications, and SBOMs, and directly from the network and correlate them. The data is deduplicated, normalized, and unified into a single pane of glass. Gartner has identified Balbix as a representative vendor in the Hype Cyle for Security Operations. Read more.

Native discovery: Strong exposure management platforms include the entire CAASM connector library, plus native discovery, including host and network-based scans, which enables security teams to discover CVEs and non-CVEs in your environment.

Built-in inferencing: Leveraging AI, exposure management tools can infer CVEs and non-CVEs, compensating for missing, incomplete, or corrupted data from source tools. Additionally, exposure management tools enrich CVE and non-CVE data from external sources to provide a contextualized view of risks.

Inclusive of vulnerability management: All aspects of vulnerability management plus risk-based prioritization. It uses data about severity, threat levels, exploitability, security control assessment, and business impact to identify assets likely to be exploited and cause the most significant impact.

Actionable recommendations & mobilization: EM platforms provide the next best steps for security teams to focus on critical risk areas. Many out-of-the-box automation help mobilize remediation, such as two-way integration with ticketing tools, patch recommendations, remediation projects, and gamification.

But there is more…

In addition, best-in-class exposure management tools offer these additional capabilities, making investments in them a no-brainer.

Cyber Risk Quantification: With risk quantification, the impact of exposures is translated into dollars or local business currencies. Using this, security leaders can understand their material assets and clearly communicate the breach’s impact to non-technical stakeholders.

Native GenAI assistant: Built-in cybersecurity AI assistants can empower every key player in cybersecurity – including the CISO, CIO, VM teams, security operations, IT staff, and legal teams – with their own AI assistants. These assistants communicate using language appropriate for their roles, making it easier for each stakeholder to understand the cyber risk and how to reduce the organization’s attack surface.

Self-healing CMDBs: Bidirectional integration with any Configuration Management Databases (CMDBs), allowing them to draw from and enrich, update, and correct asset data in CMDBs or IT Asset Management (ITAM) tools.

Tools gaps/overlap: Identify gaps in security control coverage and point out overlapping tools. For example, it can identify and report all endpoints lacking Endpoint Detection and Response (EDR) coverage. If there is overlapping coverage, security leaders can de-commission tools.

So, what’s next?

Don’t take our word for it. Check out Gartner’s insight on the future of CAASM. You can also get a demo of Balbix exposure management to see how we address all CAASM and exposure management use cases mentioned earlier.